[personal profile] mjg59
The Microsoft Surface is a fairly attractive bit of tablet hardware, and as a result people have shown interest in running Linux on it. The immediate problem is that (like many ARM devices) it has a locked-down firmware that will only run signed binaries - unlike many other ARM devices, this is implemented using an existing standard (UEFI Secure Boot). Microsoft provide a signing service for UEFI binaries, so it's tempting to think that getting around this restriction would be as simple as taking an existing Linux bootloader, signing it and then booting. Unfortunately Microsoft's signing service signs binaries using a different key (the "Microsoft Windows UEFI Driver Publisher" key) to the one used to sign Windows, and the Surface doesn't carry that key. Booting Linux on these devices would involve finding a flaw in the firmware and using that to run arbitrary code.

Could this also be a problem on x86? In theory - Microsoft don't require that vendors carry the driver publisher key, and so a system could be Windows 8 certified and still not carry it. It's unlikely to occur in practice, though, since any third party expansion hardware will then fail on that device. As a result, anything with PCIe or Expresscard slots is effectively certain to have this key. If anyone finds any counterexamples, please let me know.

Fujitsu's laptop

Date: 2012-12-30 01:16 am (UTC)
From: (Anonymous)
I failed to boot any kind of EFI binary on a Fujitsu's secure boot-enabled x86 laptop.
The only binary that EFI will start is Windows Boot Manager.

Date: 2012-12-30 09:56 am (UTC)
From: (Anonymous)
who the fuck cares about linux?

Date: 2012-12-30 05:33 pm (UTC)
From: (Anonymous)
This is one of the reason why I won't buy a MS surface tablet. UEFI, like DRM, cripples the product. Why support such trash?

Quite irrelevant

Date: 2012-12-31 12:05 am (UTC)
From: (Anonymous)
Unless you count Android, we don't have any Linux environment to run on tablet computers.

And please don't say GNOME runs on tablets, it is utter crap and there's not the slightest light at the end of the tunnel. Really.

OEM laptops - not yet, but probably soon

Date: 2013-01-03 11:53 pm (UTC)
From: (Anonymous)
lenovo and HP currently use a PCI ID whitelist in their firmwares to prevent WiFi and 3G cards they didn't rebrand and sell at a markup from working in laptops they make.

I will be very surprised if they do not omit the UEFI driver signing key on some laptops and servers to force you to use only supported, authorized and conveniently marked up hardware for disk/RAID controllers, hardware iSCSI initiators, PXE-capable NICs, remote management cards (VGA+USB host interface to Ethernet and VNC), etc. The temptation of lock-in and high margins is likely to be too strong, as we've already seen with various OEM's periodic attempts to lock server hardware support to their own storage controllers.


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags